You are on page 1of 18


Intrusion Prevention Systems (IPS)

Par t one:
Deciphering the inline Intrusion Prevention hype, and working toward a real-world, proactive security solution

Secure Computing Corporation Corporate Headquarters

European Headquarters

Asia/Pac Headquarters

Japan Headquarters

4810 harwood road san jose, ca 95124 usa tel +1.800.379.4944 tel +1.408.979.6100 fax +1.408.979.6501

east wing, piper house hatch lane windsor sl4 3qp uk tel +44.1753.410900 fax +44.1753.410901

801 yue xiu bldg. nos. 160-174 lockhart rd. wanchai hong kong tel +852.2520.2422 fax +852.2587.1333

level 15 jt bldg. 2-2-1 toranomon minato-ku tokyo 105-0001 japan tel +81.3.5114.8224 fax +81.3.5114.8226

2003 Secure Computing Corporation. All Rights Reserved. 08/20/03 and SCC082003. Secure Computing, SafeWord, Sidewinder, SmartFilter, Type Enforcement, SecureOS, and Strikeback are trademarks of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. G2 Firewall, Sidewinder G2, G2 Enterprise Manager, Application Defenses, PremierAccess, MobilePass, Power-It-On!, enterprise strong, On-Box, Plug into a positive Web experience, and Protecting the worlds most important networks are trademarks of Secure Computing Corporation.

Intrusion Prevention Systems (IPS), part one

Protecting networked applications from attackers that threaten application availability, data-base integrity, data-presentation integrity, and data privacy is on the forefront of IT security professionals' minds today. The term Intrusion Prevention has recently moved to the top of the buzz-factor charts in the security world, hence most security and IT professionals are becoming interested in learning more about it as quickly as possible. To begin understanding what the buzz about Intrusion Prevention is really all about, we need to begin by agreeing that the term itself can mean different things depending upon who is doing the talking. Remember SSO, PKI, and IDS? Todays high buzz-factor three letter acronym, IPS (Intrusion Prevention System), joins a long line of next-generation security-technologies that promised to lead us to a higher level of security nirvana and peace of mindso be advised. Because of the confusion around the term Intrusion Prevention, it is important to organize and accurately describe the role and capabilities desired in order to understand what problems an Intrusion Prevention product might solve. This roughly breaks down to where in the network intrusions are prevented and how. There are basically two types of Intrusion Prevention being discussed in the market place today: host-based and inline (network-based). This paper deals exclusively with the notion of inline security. The paper also discusses the nature of known and unknown threats and how dealing with both is the ultimate goal for IT security. Dealing with known application-specific threats is the focus of Intrusion Prevention, and preventing both known and unknown threats is the focus of Application Defenses, a term we also discuss in this paper. The goal of this paper is to offer insightful views of new terminology in the context of evolving applicationlevel threats and the long list of both legacy and new security products that are re-shaping quickly around the terminology. The paper provides common-sense clarity and is written for busy security and IT professionals that need to quickly find their way though the latest hype to determine what, if anything, to do about it. It concludes with five simple ways to evaluate new emerging vendors and their proposed security solutions for any type of organization.

Summar y of key points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Intrusion Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 So, what then should organizations do to qualify their needs for Application Defenses and Intrusion Prevention? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Intrusion Prevention: revolution or evolution? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 IT security is evolution by definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 The obvious need behind the Intrusion Prevention hype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 IT security ultimately needs to provide protection against known and unknown threats . . . . . . . . . .6 Characteristics of new application-level attacks that are driving security technology innovation . . .7 What is an Intrusion Prevention System? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Intrusion Prevention Systems (IPS) defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 What do the analysts say about IPS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Intrusion Prevention signals evolution from a reactive to a proactive security model . . . . . . . . . . .8

Whats out there now and what can it do for meor not? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Products currently available trying to provide parts of Intrusion Prevention . . . . . . . . . . . . . . . . .9 The security market is segmented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Developing an Intrusion Prevention System is not an easy task . . . . . . . . . . . . . . . . . . . . . .10 The IPS buzz word is closely associated with new emerging companies and products . . . . . . . . .10 What about IDS (Intrusion Detection Systems)? Emphasis on performance Trade-offs with ASICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Application Defenses defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 What are Application Defenses? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 Why firewalls with Application Defenses are the home for IPS . . . . . . . . . . . . . . . . . . . . . . .14 The state of IPS technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Long-term goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Challenges to reaching these goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 A pragmatic view of the future . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Evaluating options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Security matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Current investments matter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Track record matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Relationships matter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Your needs matter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Glossar y of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Intrusion Prevention Systems (IPS), part one

Summar y of key points

Intrusion Prevention Systems
The world of IT security is continuously evolving. Deciphering new buzzwords like Intrusion Prevention in the context of that continuous evolution can be helpful in evaluating your existing enterprise security strategies. The multi-layered, defense-in-depth approach to IT security continues to be validated as the industry evolves. It does not appear that this next evolutionary cycle is moving away from a layered defense-in depth approach. It appears, instead, to be more about how existing defense technologies are organized into new or modified products and services. Intrusion Prevention evolves from a number of existing security technologies; it is not a revolutionary new approach to network security. Intrusion Prevention, like anti-virus and IDS (Intrusion Detection Systems), targets known attacks for prevention. New attacks are quickly analyzed by an IPS service provider. After the attacks signature has been identified, it is added to an IPS look-up database. Conventional practices recommend that IT security teams keep systems current and patched to the latest levels, yet in reality, this is an unachievable goal. So, the traditional thought processes on how to maintain a high state of security for networked applications is being questioned and re-aligned. This shift in focus from simple stateful-inspection access control firewalls to deep-packet inspection intrusion-preventing firewalls signifies an accelerated transition from a reactive to a proactive security posture. There are a number of emerging new security companies (all pre-IPO) focusing their message on Intrusion Prevention, but only for one protocol: HTTP. The traditional multi-protocol security firewall companies are adjusting their marketing/positioning as a result, and some of them claim to be building new technology. There will likely be mergers, acquisitions, and the inevitable liquidations coming in the near future to this new Intrusion Prevention area of the IT security market place. Enterprises are well served to examine carefully what specific needs they have in the context of changing requirements. The only successful inline networking components that have proven to prevent attacks are firewalls and anti-virus gateways. The firewall is the natural platform for Intrusion Prevention because it is the only gateway architecture that incorporates time-proven multi-protocol Application Defenses, including anti-virus scanning, in an integrated policy-based approach. Intrusion Prevention might be the flavor of the week, but products that continually prove their ability to provide comprehensive Application Defenses are the most suitable for inclusion in your IT security strategy.

So, what then should organizations do to qualify their needs for Application Defenses and Intrusion Prevention?
Talk to the security vendors you trust and with whom you have a strong relationship and discuss their thinking about and their roadmap for Application Defenses. Have them help you distinguish between the hype and the reality. Understand technically how their product might protect your network against new emerging threats in practical context. For example: ask how your offering could potentially stop the Code Red, Nimda, or SQL Slammer of tomorrow. Move cautiously before putting an unproven system into production. Experiment with new entrant products in a lab or in front of non mission-critical networked applications.

Intrusion Prevention Systems (IPS), part one

Intrusion Prevention: revolution or evolution?
The security term, Intrusion Prevention, that has recently shown up in the lexicon of the security industry is certainly more than a magic marketing incarnation. However, it is definitely not describing a revolutionary new security technology. To describe Intrusion Prevention as revolutionary, one would have to have a limited view of the security products market. Intrusion Prevention, as understood in this paper, encompasses aspects of many well-known, existing security technologies including anti-virus, intrusion detection, firewall, and employee Internet access filtering (to name just a few of the most obvious examples). Therefore, as much as some marketing professionals will try to make you believe that Intrusion Prevention is the next great leap forward, revolutions rarely occur in the security world. Rather, evolution is clearly the more dominant method of change. And, even when new security technologies do occasionally demonstrate seemingly solid evidence of being revolutionary, which does happen of course, the technologies rarely succeed in the real world. Such is the world of IT security. This recent morphing of various security concepts, technologies, and terms into Intrusion Prevention is worth paying attention too, but dont look for the world to change too much in the immediate future as a result.

IT security is evolution by definition

A classic truism in the security businessbe it building vaults for banks, fences for nuclear power plants, or software for computer systemsis that you cannot avoid the ever-escalating threat-countermeasure cycle of protection. For example, you build a vault to store your money in that seems impossible to break into. Of course, it is not. Someone eventually finds a vulnerability that the designers never thought of and a new security threat to bank-vault design emerges. In response, the bank vault manufacturing industry makes the doors thicker, or the locks more complicated, or modifies the design in whatever way seems prudent to minimize the vaults vulnerability to this newest known threat. The changes in the vaults design are made as quickly as possible and represent what is called countermeasures. This classic security cycle is termed the threatcountermeasure cycle. Secure Computing often refers to this as the react-and-patch cycle, and users of Microsoft software in particular are well aware of this attack-du-jour, never-ending process. All of todays IT security products more or less develop in this evolutionary way, and our highly competitive security product markets evolve this way as well.

The obvious need behind the Intrusion Prevention hype

The buzz around the term Intrusion Prevention is being driven by the marketing efforts of some new emerging pre-IPO companies, some startling coverage that the topic is getting from analysts such as Gartner, and of course, the press. New Web firewall products are beginning to be evaluated and the discussion is heating up. A high percentage of traffic today is being driven through Port 80, the Web port, and most commodity firewalls lack the ability to apply application layer policy enforcement on that big volume of traffic. For now, Port 80 has become the symbol of a critical deficiency in simple stateful inspection firewalls because of the success of recent high-profile attacks, Code Red among them, and the acceleration of Web Services B2B deployments that tunnel SOAP objects through Port 80. Chief Information Officers and Chief Information Security Officers are presently analyzing whether or not they need to put in place additional counter measures for a whole new class of impending application-specific threats in light of the reality that they have deployed screening firewalls, anti-virus software, and intrusion detection systems on their networks, but still feel vulnerable. In the face of this rising threat, risk has to be more thoroughly evaluated and mitigation plans better thought out for further augmenting current systems. The demand for more open access, consumer concerns, and increased regulations are all on the rise. Hence, security professionals are looking to add the required security to support business-unit demands:

Intrusion Prevention Systems (IPS), part one

Business-line managers are pushing for more open access to corporate applications in efforts to achieve higher productivity. Extranet access points via IPsec and the so called client-less VPNs are being hooked-into network perimeters to extend services to an increasingly mobile and distributed work force. The consumer is experiencing hacker-induced denials of service to online store fronts causing frustration and lack of confidence in doing transactions on the Internet. Credit cards numbers and other private data are also being stolen. Wide spread public privacy concerns have spurred new regulations in the healthcare and the legal communities, including HIPAA (Health Information Portability and Accountability act), Graham-LeachBliley (GLB), and Sarbanes-Oxley, to name a few examples. Lawmakers are requiring more accountability from those who are required to provide information security and privacy. As a result of the demand to protect our systems, companies and government agencies are highly motivated to address the issue. Established security vendors in the firewall and IDS segments are examining their products and rethinking their messaging. Companies that build Web farm High Availability (HA) load-balancing systems are even being encouraged by some market forces to see what they might have to offer to address new threats to networked applications. New companies are also emerging (pre-IPO) with products intended to provide quick, singular fixes. The intentions are generally good and progress is being madebut an overriding solution is not yet here. This paper discusses the progress and the limitations of what is available today, as well as discusses whats needed for a true, all-encompassing solution in the futureand what is needed to get us there.

IT security ultimately needs to provide protection against known and unknown threats
As new threats evolve, security professionals must face challenges on several fronts: 1. Provide protection against known application-specific threats slipping through commodity firewalls that cant see application-specific attacks (Intrusion Prevention). Anti-virus gateways supported by virus signature databases and update services provide some protection today, but more is needed. 2. Provide more granular filtering protections for all protocols, not just HTTP (multi-protocol Intrusion Prevention). Some of these types of threats are currently being addressed by hybrid-application proxy firewalls. 3. Solve the high instance of false-positives and false-negatives associated with the IDS solutions of today. Leading IDS vendors are working aggressively to address current shortfalls. 4. Provide application-specific filtering, blocking, and validating techniques with granular content controls for the purpose of eliminating as many known and unknown attacks as possible. Purpose is to reduce the risk of unknown threats becoming the next known Code Red in the news (Application Defenses). Hybrid firewalls, capable of layer 3 to layer 7 security mechanisms will provide the most likely foundation for progress here. 5. Scale for high-bandwidth requirements. Progress here will include performance improvements in off-the-shelf hardware, programmable network interface cards, ASICs-based (application-specific integrated circuit-based) gateways, and better management tools for high-capacity clustered gateway solutions. These objectives pose a tall order and the industry is part of the way there. Some systems are in place now to address portions of items 1, 2, and 3, and certain models in existence today provide the frame work for addressing items 4 and 5. Making progress in all of these areas will be an evolutionary process, and our intent in this paper is to provide insight into what is available today (pros and cons), and how the evolution to the next level is likely to develop in the future.

Intrusion Prevention Systems (IPS), part one

Characteristics of new application-level attacks that are driving security technology innovation
Security systems are being pushed forward because e-business initiatives are stretched beyond their natural capabilities. This stretching has left systems and applications open to hackers discovering and then exploiting newly discovered weaknesses within the applications client-server communications processes. Hackers have proven that it is not that hard to find a plethora of vulnerabilities to exploit in both new and older versions of applications, which exist because automated programming tools and insufficient software testing methods do not consider, for example, user inputs to Web applications to be points of vulnerability. Building into applications the capability to natively protect themselves from attack during normal use is not a strong enough objective of application designers. And because the attacks occur during normal use of the application, these application-specific attacks do not necessarily violate RFC standards, or even the protocols themselves. As a result, the attacks are often invisible to security filters in many systems and are therefore able to hide in the normal looking stream of traffic. This new evolution in attacks is clever, application-specific, and very hard to notice as an anomaly in what appears to be completely normal traffic going by.

What is an Intrusion Prevention System?

Intrusion Prevention Systems (IPS) defined
Two types of Intrusion Prevention are being discussed in the market place today: host-based and inline (network-based). Host-based systems would be Intrusion Prevention software written to be hooked directly into applications or installed directly on application servers that host the applications. This paper deals exclusively with the notion of inline security. Inline security would be similar in architecture to a dual-homed firewall or an anti-virus gateway that sits upstream from protected applications and applies Intrusion Prevention services for multiple applications downstream of the IPS. As such, we define IPS as follows:
An inline Intrusion Prevention System is any hardware or software device that has the ability to both detect and prevent known attacks. Often times heuristic, anomaly checking, or signaturebased filtering is used.

Even more simply put, Intrusion Prevention is specifically targeted at finding (detecting) and then stopping (preventing) publicly known yet stealthy application-specific attacks. The term Intrusion Prevention System itself is used to combine (or unify) both the concept of a detection system and the concept of a prevention system under one construct. It is important to note the definition only addresses known attacks.

What do the analysts say about IPS?

Gartner recently remarked on Intrusion Prevention products saying few products provide the features that Gartner believes are necessary for true Intrusion Prevention.1 We would say that is true, but we would go further by saying that no products provide the features that Gartner believes are necessary for true Intrusion Prevention across multiple protocols and applications. Gartner describes Intrusion Prevention in part like this: Intrusion Prevention must block malicious actions using multiple algorithms. Intrusion prevention systems must provide blocking capabilities that include signature-based blocking of known attacks. However, intrusion prevention systems must also move beyond simple signature-based approachessuch as those used by antivirus and intrusion detection systemsto at least support policy, behavior and anomaly-based detection algorithms. These algorithms must operate at the application level in addition to standard, network-level firewall processing. It must also have the wisdom to know the difference (between attack events and normal events). 4 June 2003CIO Update

Intrusion Prevention Systems (IPS), part one

Over the past number of years, the industrys insider-threat solution focused on Intrusion Detection (IDS), but efforts there have proved to be disappointing to some degree (more on this later in the paper). The outsiderthreat solution has focused on firewalls, but efforts there by the commodity firewall manufacturers obsessed with performance over security as their key differentiator have proved to be disappointing as well. Carnegie Mellon Universities CERT Coordination Center has had this to say about stateful inspection technology: The principle motivation for stateful inspection is a compromise between performance and security. Source: Security RequirementsDesign The Firewall System CERT Coordination Center, Carnegie Mellon University

Intrusion Prevention signals evolution from a reactive to a proactive security model

Focusing our thinking and energies around Intrusion Prevention makes sense, then, as the industry tries to combat future threats like Code Red, NIMDA, and SQL Slammer. These high-profile attacks continue to bring much needed attention to a class of rapidly-spreadable, application-specific, data-driven attacks. In particular, they have gotten the attention of IT professionals who are now seeking information such as this paper provides and they have stimulated the security products manufacturers into developing a new set of counter measures and products which claim to deliver Intrusion Prevention. These measures are discussed further in the following sections. Interest in Intrusion Prevention is a hopeful, reinforcing indicator that the positive transition from a reactive security posture to a more proactive security posture is accelerating. Consider the react and patch cycle we talked about previously. That is not a manageable solution to the problem. Security gurus have always recommended that organizations maintain a high-state of readiness in the face of attack and that the way to do that is to keep your systems updated to the current software patch levels at all times. On the face of it this sounds very reasonable, but organizations are realizing that maintaining 100% patch-current status for all systems and all applications that run 24x7x365 is an unachievable goal. Executives who are increasingly being asked by regulators to account for everything from accounting practices to disaster recovery plans want to find better ways to manage risk that are more automated, centrally manageable, and preventative. So the Intrusion Prevention paradigm reinforces the need for a shift to a more proactive approach to identifying and mitigating risks to organizations networked applications. Even if the technology is not mature today, energies focused around the topic promise to improve our electronic security posture in much the same way as the recent energy focused around global terrorism is making communities and individuals safer because we are doing things proactively to get ahead of the threat.

Whats out there now and what can it do for meor not?
Products currently available trying to provide parts of Intrusion Prevention
As weve said, many are questioning whether Intrusion Prevention is a product and if it is ready for prime time. All security products are designed to help prevent some aspect of an intrusion attempt. The term Intrusion Prevention can be considered a broad concept that unifies a number of the features found in traditional anti-viral, firewall, and intrusion detection products. The need for a proactive defense, to thwart targeted and opportunistic attacks on the enterprise and its applications, has not changed. But as weve indicated, no single product can currently provide this level of defense. So, then, what is availableand what are the benefits and drawbacks? We will address this question in the sections below.

Intrusion Prevention Systems (IPS), part one

The security solutions market is segmented

Competitive forces in the security marketplace and highly specialized and difficult technology challenges have created a security-products market today that consists of segments of tools grouped around different (but associated) fundamental security problems. The true multi-layered defense-in-depth security solution today consists of deploying most or all of them on your network. For example: User authentication products from companies such as Secure Computing and RSA that provide strong (one-time-use) passcode-generating tokens, smart cards, biometrics, and more. Anti-virus products from companies like Symantec and Network Associates that focus on addressing the threat from viruses and malicious code. Firewall products from companies like Secure Computing and Check Point that provide access control between networks based on the notion of deny that which is not explicitly allowed. Intrusion detection solutions from companies like Cisco and ISS (the newest to the scene) that monitor network traffic to detect known attacks based on a database of signatures and/or some levels of traffic anomaly detection.

Figure 1: Reducing external profile exposure

For various reasons, all of these solutions work well enough together to be considered generally effective against a large number of known threats. As a result of their deployment, the externally visible (exposed) profile of networks is reduced by: 1) making it harder to tell what computers are present 2) making it tougher to probe for vulnerabilities 3) creating a single point of entry and exit for monitoring.2 According to the 2003 CSI/FBI Computer Crime and Security Survey, 99% of survey participants used anti-virus products and 98% owned a firewall, while 73% had an active deployment of intrusion detection capabilities.3 However, all of these tools lack the integration and capabilities to cover the entire risk profile of publicly exposed business applications for one specific reason: they are unable to defend applications from many new unknown attacks that reveal themselves over time.

Intrusion Prevention Systems (IPS), part one

Developing a true Intrusion Prevention System is not an easy task

For any new so-called Intrusion Prevention technologies or products to be successful in the marketplace they must cost-effectively and manageably reduce the attack-surface of networks relative to new application-level attacks. This is a challenge, because these solutions need to automatically and efficiently stop the things that are slipping through the cracks presently existing within or in between todays segmented security products. And, they need to do it across all protocols and applications if possible. It is a natural evolutionary response in the market for the well-established security product manufacturers to try and cover these cracks within a number of already well-established security approaches; including commodity screening firewalls, application proxy firewalls, network-based anti-virus services, and network and host-based Intrusion Detection Systems (IDS), a few of the most obvious examples weve named. Established security vendors are working more or less to better utilize enhanced hardware technology, more granular software inspection techniques, and better deployment and management tools to deal with the rise in application-specific attacks. It is also a natural evolutionary response that when existing products falter, new products emerge to cover new and evolving threats. These new pure-play Intrusion Prevention products appear to be innovative, but so far they focus almost exclusively on Port 80 services. While this is critical, security professionals need to prevent intrusions across many entry points that are directed at many different applications, not just Web servers. So while dropping a so-called Intrusion Prevention gateway into the network in front of e-business Web servers may provide some protection, it remains only a finger in one hole in the security dyke. Some other well established security gateway vendors are going a bit further yet. Rather than just add simple incremental feature enhancements to their single-purpose products, they are offering combination solutions (i.e., suites) that deliver best-of-breed anti-virus, firewall, and intrusion detection capabilities all in one platform. Outbound Web filtering is also included in some of these products to help organizations control employee access to the Internet, increase employee productivity, and limit legal liability. As discussed earlier, this is the logical evolution of tried and true multi-layered defense-in-depth security. Specialty segments appear, like single port security gateways, and then almost inevitably they merge and blend into other multi-use products.

The IPS buzz word is closely associated with emerging companies and products
There are a number of emerging new security companies (all pre-IPO) focusing their message on Intrusion Prevention, but again, most are only for one protocol: HTTP. Many traditional multi-protocol security gateway companies (firewall, anti-virus, IDS), are adjusting their marketing/positioning as a result, and some of them claim to be building new technology. IDS vendors are claiming to be building firewalls. Load balancing systems companies are being talked about like they could be Intrusion Prevention Systems some day. There will likely be mergers, acquisitions, and the inevitable liquidations coming in the near future to this new Intrusion Prevention area of the IT security market place. As just mentioned, a small number of new inline gateway products are coming onto the market that claim to mitigate the untenable react-and-patch cycle for Web servers. These emerging new security companies are presently living on venture capital with one or two distinguishing features that may indeed solve some shortlived, known threats to specific applications, but they are almost exclusively Web-centric which means they have a long way to go to replace the technically mature and heavily deployed enterprise firewall on the network. Moreover, these types of Intrusion Prevention capabilities are not available much at all right now from the wellestablished, financially viable security companies. But, in response to this new wave of application-specific attacks and the buzz around Intrusion Prevention, these established vendors have begun to transition the way they talk about their products, whether or not their products actually prevent intrusions. Closely associated with new Intrusion Prevention features being talked about, there is a growing notion that hardware accelerated processing of security filtering is an enabler to the promises. We will talk more about this later in the paper, in particular regarding ASICs.
1 0

Intrusion Prevention Systems (IPS), part one Given the present state of this emerging market, it seems there will likely be mergers, acquisitions, and the inevitable liquidations coming in the near future to this new Intrusion Prevention-labeled space. The security community most recently experienced this evolutionary market cycle with IDS (intrusion detection), the last few years buzzword. Time is going to be taken by the industry to sort things out, and during that time enterprises are well served to examine carefully what specific needs they have in the context of their own changing requirements and organizational goals.

What about IDS (Intrusion Detection Systems)?

Some argue that the true purpose of IDS is for monitoring, while others argue that it is required for appropriate inline screening. Certainly, the ability to detect specific attacks or network anomalies is important as a warning system, but also as a component of preventing the attacks. There is increasing pressure on Intrusion Detection companies to re-introduce themselves as purveyors of IPS. Thus, the concepts engrained in intrusion detection systems complement firewalls as they may contain scanning techniques for specific things beyond the explicit policy-based access control enforcements and protocol validations. Yet, IDS systems dont have adequate signature or other more behavioral capabilities to replace a firewall as an access control device. Neither do they deliver Application Defenses which would provide protection against unknown threats. For example, at least one firewall vendor has an application filtering option that requires strict RFC1738 URLs.4 All other connection attempts are rejected and a404 Malformed Header response is generated.5 This particular application compliance check prevented Code Red from infecting Web servers because it prevented a specific kind of Microsoft IIS URL encoding, one which does not follow the rules for URL referenced content as defined in the international standard. These types of application-level attack prevention features may or may not also be found in a corresponding IDS signature. In the case of the IIS encoding attack, IDS systems were found to not prevent the attack.6 Firewall checks are generally static, meaning they look for conformance and there are attacks that come in properly formatted RFC-compliance messages. This is why the signature and anomaly technology concepts used in intrusion detection systems are important to a proper defense. Yet, the challenge of preventing unknown attacks is always going to exist. No heuristic, anomaly, or signature-based system that allows everything in, except that which meets conditions imposed by the scanning of packets as they go, by will solve 100% of the problem. An IDS firewall combination is generally more effective, given appropriate implementation, than a firewall by itself. There is initiative within the security market for blurring of the lines between the IDS scanning capability versus a firewalls application and protocol checking capability. This is part of the latest hype cycle.

Figure 2: IDS monitors attacks but has systemic problems not yet solved.

1 1

Intrusion Prevention Systems (IPS), part one

Gartners Research Director, Richard Stiennon, recently announced Intrusion detection systems are a market failure, and vendors are now hyping Intrusion Prevention systems, which have also stalled. Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as anti-virus activities.7 Indeed, intrusion detection vendors are recognizing that the buzzword IDS is no longer the darling of market commentary and trade press activities. Many IDS vendors are re-stating their mission to address Intrusion Prevention. At least one is attempting to build a firewall from scratch. Many in the IT security community scoffed at the notion of multiple technologies merging (firewall, anti-virus, IDS, etc.). Yet, Gartner is correct. The base IDS technology as a blocking and prevention solution has not fundamentally changed. Moreover, many of the types of attacks that are encoded in IDS signatures can be prevented by adding checks to application-level inspection firewalls. This begs the question: Is IDS as universal as the firewall in providing a platform for multi-layered defense in-depth? The answer to this question is clearly no, but that does not mean that the industry is rejecting IDS as a technology. The evolution of security technology moving into real-world, effective use continues just as it always has.

Emphasis on performance
The performance requirement to have hardware-assisted processing is part of the hype surrounding IPS. These technologies are useful in certain high-bandwidth, core network infrastructures, but on balance, companies evaluating vendors with ASIC (application-specific integrated circuit) components should understand that just because a company claims to utilize a special processor does not mean that it will be able to provide the ability to quickly deploy comprehensive and extensible policy enforcement, or Application Defenses for that matter. In fact, the opposite may be true. The solution could be extremely limited. For example, there is a vendor recognized as one of the leaders in the firewall appliance market who has recently acquired an IDS vendor, yet their firewall appliance feature for protecting against malicious URLs is limited to 16 malicious URL string patterns, each of which can [only] be up to 24 characters long.8 This example demonstrates that even though a vendor owning both ASICs technology and intrusion detection technologies does not mean they are eligible to replace more flexible software solutions for all product usage scenarios, in particular Application Defenses. To re-enforce that point further, be aware that this vendor has also had several significant vulnerabilities against their products.9 The point is that they have other more serious limitations beyond ASICs that are unfortunately shared by most other commodity firewall competitors as well. These commodity firewall providers have not yet delivered an architecture that will itself not introduce vulnerabilities into the networks where they are trusted to be deployed.

Tr a d e - o f f s w i t h A S I C s
When evaluating vendor claims with regard to ASICs, organizations should realize the trade-offs. ASICs are hard-coded. The core logic of an ASIC is generally unable to be updated by software, meaning many of the vendors using them cannot extend the core logic. When additional checking, memory, or other requirements meet a hardware change, users have to purchase a new box. ASICs are expensive. Security flaws and or feature enhancements to hardware cant be fixed without a forklift upgrade. ASICs are limited. ASICs are not so useful for certain types of security checking. For example, if a virus scanning engine is being deployed in a gateway to scan file attachments, ASICs dont provide much value as the packets have to be assembled and the file attachments run through the scanner either via disk or memory, not in ASICs.

1 2

Intrusion Prevention Systems (IPS), part one

Application Defenses defined

What are Application Defenses?
As weve described, Intrusion Prevention Systems by common definition are targeted to stop known (previously discovered) attacks. In order to really evolve the IT security solutions set, a shift is needed to also prevent the unknown attacks, which means deploying Application Defenses to prevent intrusions. Application Defenses are application-specific filtering, compliance validation, and automated response techniques with granular content controls that deliver policy-based enforcement of communications to and from networked systems for the purpose of eliminating as many known and unknown attacks as possible. The table below references a number of components that solutions should incorporate in order to provide Application Defenses. Simply put, if a system has the capability to assure the same reduced profile of today, prevents intrusions from known attacks, and prevents unknown attacks by filtering, blocking, and validating techniques that knock down whole classes of attacks trying to work their way around current firewall capabilities, then it is an Application Defenses solution. However, if a vendor is merely renaming IDS or other technologies that only defend against known attacks, their incantation of Intrusion Prevention really meansadd another security appliance to your network in addition to what you already have. Indeed, if a product does not have the ability to provide Application Defenses, then it is limited by definition to provide Intrusion Prevention of known attacks only.

Defense-in-depth Check list

Policy definition and enforcement
Define network objects for devices and groups of devices Define user roles access groups Administrator access tightly secured Stateful packet inspection (source, destination, service) User authentication for remote clients Basic network controls for VPN clients (allowed services) Basic network controls for SSL clients (allowed services) Conceal protected networks (NAT and other techniques) Termination and inspection of HTTP/S communications Deep packet inspection and smart application proxies (protocol validation) Permitted methods for protocols (e.g. HTTP/S and H.323) Out-bound URL and content permissions Inbound URL input filtering and controls Content scanning and stripping of dynamic content and scripting Scanning for attacks using signature database Scanning for virus and malicious code in a virus definitions database Heuristic, anomaly, or statistical baseline analysis of packet flows Response to suspicious activity in audit stream Preventing attacks against the appliance operating system itself Load balancing high availability Interoperability with third-party directory services / authentication tools Interoperability with third-party reporting and monitoring tools Product certification and training Quick answers and third-party validated customer service

Basic access control

Application Defenses

Compatibility with infrastructure Personnel support

1 3

Intrusion Prevention Systems (IPS), part one

Why firewalls with Application Defenses are the home for IPS
Firewalls are often the first line of defense. The goal of a firewall is to knock down things that are generic and opportunistic, not just at the network level. Firewalls have proven very successful at this, particularly when layering stateful inspection and application proxy-based approaches. Today the traditional firewall vendors are recognizing the need for more thorough checking of application-level policies in order to eliminate the threat of attacks that use business applications basically against themselves. This means proxies, although in the past many firewall vendors lacking these capabilities tried to make proxy a dirty word. Yet recently, the same vendors are cloaking their own new use of proxies under fancy marketing jargon. Their anti-proxy rhetoric of the past is now coming back to challenge them. If stateful packet inspection firewalls were presently delivering the same level of application-specific checking as the newly emerging IPS solutions claim to, there would not be these new market entrants based on proxy technology being installed on networks behind or around already deployed commodity firewalls. This is not to say that proxies have solved all of the requirements of customers, yet they provide the most proven Application Defenses of today and they offer a solid foundation to build on for the next generation of Application Defenses in the near future. In the broad market (from consumer user to Fortune 500) people have assumed the words stateful inspection to equal firewall. However, because of the need for tighter protocol validation, traditionally provided by proxies, the concept of Application Defenses with Intrusion Prevention will include both proxy and stateful inspection technology. This is the perfect opportunity for IT security professionals to reacquaint themselves with the additional security capabilities of proxies. For example, an administrator is running T.120, a broad protocol used to support data conferencing services such as chat and white boarding (e.g., Microsoft NetMeeting). A hybrid firewall vendor (one that provides both proxies and stateful packet inspection) has a T.120 proxy that enforces controls on what specific T.120 services are allowed.10 The organizations security policy may allow whiteboard and chat, but not desktop sharing. In a stateful packet inspection mode of operation this would not be possible. Likewise, traditional IDS can only look for specific signatures or use a statistical baseline to generate errors. The use of application layer proxies in this scenario completes the other technologies to provide a robust solution. There are a few additional product segments attempting to address Intrusion Prevention. For example, some Layer Seven Switches have the ability to inspect the URL to direct particular requests to specific servers based on predefined rules.11 This technology plus the switchs unique location in the network have certain advantages that might be used in future, for more security-focused offerings. From a users perspective, though, it is not clear how focused the vendors that make these products are to integrating with other solutions beyond the basics of today or how they will provide Application Defenses.

The state of IPS technology

The state of IPS technology is immature if you define it as a single vendor, all-encompassing product that detects, monitors, prevents, updates, and reports on every transmission for in-bound and out-bound access through a particular network choke-point. Recently, enterprises have spent millions of dollars on products to help them secure their networks. Todays newly emerging IPS products are focused almost exclusively on Port 80 and so they are not replacing existing systems. They are instead augmenting them. An all-encompassing multi-protocol IPS solution will have to be developed and proven before any such systems would be taken seriously as actual replacements for already deployed systems.

1 4

Intrusion Prevention Systems (IPS), part one

Long-term goals
In the future, an inline security gateway solution should achieve these goals. The ability to detect and prevent attacks based on logical or physical use of multiple enforcement technologies. Broadly, this includes the ability to prevent both known and to some degree unknown attacks using Application Defenses. The ability to interoperate with deployed security infrastructure for the purposes of supporting data collection, electronic evidence, surveillance, and regulatory compliance as needed. The ability to not disrupt business operations because of lack of availability, poor performance, false positives, or inability to interoperate with required authentication infrastructures. The ability to support IT Security professionals in delivering their organizations risk management plan, which includes the cost of implementation, operating, and work outcomes from the alerts and reporting from the system.

Challenges to reaching these goals

There are currently no acceptable third-party ROI studies demonstrating the efficiency of IPS as a solution. The market hype surrounding Intrusion Prevention is confusing what the technology can really provide versus what it promises. The capabilities required to build a complete Intrusion Prevention system do not all currently reside within the same technology segments (vendors), which will require industry integration and consolidation. The multi-layered approach to IT security continues to be validated as the industry evolves. It does not appear that the migration is away from layered defense-in depth, just how it is organized. Many of the IPS solutions will require IDS-like human-power requirements for tuning, monitoring, and reporting. There are still logs to parse through (if the administrator is doing his/her job), and there is still the need for 24x7 personnel responsible for the device, unless the systems are powered off nightly (which is highly unlikely).12

A pragmatic view of the future

People bound by organizational roles and work culture select security solutions in various ways, but are always restricted by time and budget. Currently, there is no workable one-size-fits-all product that meets broad market needs at a level where it could replace existing firewall, Network Intrusion Detection System (NIDS), layer 7 switches, and other components that may (or may not) become the inline security gateways of tomorrow. However, if one such product appears, it would need to meet a significant portion of the goals discussed previously in this document, including Application Defenses capability. Whats next? Evolution is not something that is generally predictable many steps in the future. Go back to step 1: the threat-countermeasure cycle. Future threats, unknown to us today, will drive the direction of our future solutions. There may be new threats and new system vulnerabilities discovered that may affect the Intrusion Prevention security concepts of today in fundamental ways; or maybe there wont be. But, Intrusion Prevention Systems evolution is most likely to be a gradual merging over time of various security concepts into one true Application Defenses model. Dont be surprised if it ends up being in your tried-and-true hybrid firewall. So, stay tuned for the future.

1 5

Intrusion Prevention Systems (IPS), part one

Enjoy part one, ready to hear more?

Part Two is on our editor's desk now. It will discuss in detail Secure Computings Application Defenses product strategy for the Sidewinder G2 Firewall. For more from Secure Computing visit: We'll e-mail part two straight to your in-box as soon as it is published.

Evaluating options
Here are five things you should consider when evaluating Intrusion Prevention solutions.

Security matters
Does the product being proposed as a solution have a history of security vulnerabilities? Do they have 12 of the things you are already implemented plus 2 that you have not? What is the differentiation, specific to your risk profile? Do they have any Application Defenses?

Current investments matter

What are the impacts of proposed solutions on your operational infrastructure? People? Are you a guinea pig for this tool? E.g. Are other organizations with missions similar to yours deploying the product? Are you being asked to write off more in deployed tools to get ROI and TCO from the proposed ones? How mature is the proposed solution compared to your existing infrastructure? What training, operational disruption, or man power costs are required relative to risk?

Tr a c k r e c o r d m a t t e r s
What is the history of the company that purports to defend against intrusions? Have they recently been acquired by a larger firm or are they being targeted for an acquisition? Either situation could drastically affect you. Are members of their management recognized for security expertise? Is the vendor that proposes a solution profitable, or at least cash-flow positive? Do they have sufficient access to capital to fund their business plan? Are they actively trying to reinvent themselves? Is the story consistent?

Relationships matter
Integration with monitoring, alarming, reporting. Are there third-party relationships for monitoring, reporting, and authentication that support your major enterprise requirements? Do they have relationships with the vendors with whom you are already significantly invested?

1 6

Intrusion Prevention Systems (IPS), part one

Yo u r n e e d s m a t t e r s
Does the vendor understand requirements for third-party certifications that others in the industry have achieved? e.g. Common Criteria. Do they understand the regulations that you must comply with? e.g., Graham-Leach-Blily (GBL), Sarbanes-Oxley, or HIPPA. Are they trying to sell you a box or a solution?

Glossar y of terms
Application Defenses
Application Defenses are application-specific filtering, compliance validation, and automated response techniques with granular content controls that deliver policy-based enforcement of communications to and from networked systems for the purpose of eliminating as many known and unknown attacks as possible.

Application-layer firewall
A firewall system in which service is provided by processes that maintain complete TCP connection state and sequencing. Application layer firewalls often re-address traffic so that outgoing traffic appears to have originated from the firewall, rather than the internal host.12

Application-specific integrated circuit (ASIC)

A customized microchip which is designed for a specific application.13

Intrusion Detection System (IDS)

A combination of hardware and software that monitors and collects system and network information and analyzes it to determine if an attack or an intrusion has occurred. Some ID systems can automatically respond to an intrusion.14

Intrusion Prevention System (IPS)

An inline Intrusion Prevention System is any hardware or software device that has the ability to both detect and prevent known attacks. Often times heuristic, anomaly checking, or signature-based filtering is used.

A software security agent that intermediates between a client requesting an application connection and the requested application service.


J. Pescatore, R. Stiennon. Enterprise Security Moves toward Intrusion Prevention Gartner CIO Update, 4 June 2003 Next Generation Firewalls by Fred Cohen, Burton Group Catalyst 2003 Conference, July 10 2003. Computer Security Institute (CSI). CSI/FBI Computer Crime and Security Survey, 2003, page5. Berners-Lee, T., et al., Uniform Resource Locators (URL) RFC 1738, CERN. December 1994.

2 3 4

1 7

Intrusion Prevention Systems (IPS), part one
5 6

Secure Computing Corporation. G2 Firewall Admin Guide version 6.0: 7-20. BUGTRAQ ID 3292 Security Focus Vulnerability Database: Security Focus. Gartner. Gartner Information Security Hype Cycle Declares Intrusion Detection Systems a Market Failure. Money slated for Intrusion Detection Should be Invested in Firewalls. June 11, 2003. Netscreen Technologies. Netscreen New Features Guide for ScreenOS 4.0.3: page 6. Netscreen. Security Focus Vulnerability Database. Security Focus. Secure Computing Corporation. G2 Firewall Admin Guide version 6.0: 7-31. Desai, Neil. Intrusion Prevention Systems: the Next Step in the Evolution of IDS. Security Focus Firewalls Glossary. Computer User.Com Dictionary CMU Software Engineering Institute, State of the Practice of Intrusion Detection Technologies: Appendix A Glossary. [CMU/SEI-99-TR-028] January 2000.

10 11

12 13


1 8